The decentralized social platform Stars Arena experienced a devastating security breach on October 7, 2023, when an attacker exploited a reentrancy vulnerability in its smart contract to drain approximately 266,103 AVAX tokens, valued at roughly $2.88 million at the time. The exploit left the Avalanche C-Chain-based SocialFi platform with less than $1 in remaining funds and sent shockwaves through the broader DeFi community.
The Exploit Mechanics
The attacker, operating from wallet address 0xa2Ebf3FCD757e9BE1E58B643b6B5077D11b4ad7A, executed a classic reentrancy attack by depositing just 1 AVAX into the Stars Arena contract and receiving 266,103 AVAX in return. The vulnerability existed in an unverified smart contract that allowed the transfer of native coins to external contracts without proper safeguards against reentrant calls.
Here is how the attack unfolded step by step. First, the attacker called a deposit function that transferred 1 AVAX to the Stars Arena contract. During this deposit, a callback was made to the exploiter, giving them an opportunity to call another function before the initial function completed. The attacker used this callback to invoke a separate function that modified the variable “owner_a0,” which served as a weighted multiplier in the price acquisition calculation. Finally, the attacker called the sellShares function, which referred to the now-modified variable to calculate the AVAX return amount, resulting in a payout of 274,332 AVAX.
Security analysts from PeckShield and Avascan were among the first to identify and publicize the vulnerability, noting that the reentrancy issue allowed the hacker to sell platform shares at artificially inflated prices. This was not the first time Stars Arena had been targeted; just two days prior on October 5, the same attacker exploited a different vulnerability for approximately $2,000, which the team had attempted to patch.
Affected Systems
The exploit specifically targeted the Stars Arena Shares proxy contract deployed on the Avalanche C-Chain at address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC. The platform, which had gained popularity as a Friend.tech competitor in the SocialFi space, saw its total value locked virtually wiped out in a single transaction.
After draining the funds, the attacker dispersed most of the stolen AVAX to 266 newly created externally owned accounts, each holding approximately 1,000 AVAX worth about $10,200 at the time. Bitcoin was trading at $27,968 and Ethereum at $1,634 on the same day, providing broader market context for the exploit. The incident was the largest reentrancy exploit on the Avalanche chain in 2023 and the fifth largest reentrancy attack recorded that year across all networks.
The Mitigation Strategy
In an unusual turn of events, the Stars Arena team managed to recover approximately 90 percent of the stolen funds through direct negotiations with the hacker. The platform announced that it had reached a settlement agreement, recovering around 239,493 AVAX of the original 266,103 AVAX stolen. This recovery was facilitated through on-chain negotiations and the involvement of security researchers who acted as intermediaries.
The remaining gap was addressed when Stars Arena secured additional funding from community supporters and investors to cover the deficit. The team also deployed a patched version of the smart contract that implemented proper reentrancy guards and followed the Checks-Effects-Interactions pattern recommended by security experts.
Lessons Learned
The Stars Arena incident underscores several critical lessons for the DeFi ecosystem. First, reentrancy vulnerabilities remain a persistent threat despite being one of the oldest and most well-documented attack vectors in smart contract security. In 2023 alone, ten reentrancy exploits were recorded, with total losses reaching $69.5 million, significantly up from the eight incidents recorded in 2022.
Second, the importance of thorough smart contract auditing cannot be overstated. Stars Arena had not undergone a comprehensive audit from a reputable security firm before deploying its contract, leaving the reentrancy vulnerability undetected. Third, deploying unverified contracts introduces additional risk, as security researchers must decompile the bytecode to understand the contract logic, delaying vulnerability detection and response.
User Action Required
For users who had funds on Stars Arena, the recovery process involved verifying their balances on the patched contract and following the team updates for any additional compensation programs. More broadly, DeFi users should always verify that platforms they interact with have undergone security audits from recognized firms such as CertiK, Trail of Bits, or OpenZeppelin. Users should also consider the age and testing history of a protocol before depositing significant funds, particularly for newly launched platforms that have not yet been battle-tested under adversarial conditions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
1 avax in, 266k avax out. classic reentrancy. the contract wasnt even verified on snowtrace. deploying unverified contracts with millions in TVL should be a criminal offense at this point
bugzapper_ mentioning openzeppelin reentrancy guard hits hard. one import statement and 266k AVAX would still be in the contract
266k AVAX drained and the contract wasnt even verified. deploying unverified contracts with real money flowing through them is insanely reckless – audit_bro_ is right, this should have legal consequences
socialfi platforms keep getting rekt because they rush to launch during hype cycles. friend.tech clone on avalanche with unaudited contracts was always going to end this way
bugzapper_ one import statement. one modifier. 266k avax saved. wild how many millions get lost to the oldest trick in smart contracts
friend.tech clone on avalanche was always going to end badly. socialfi is the new defi in terms of unaudited contracts launching during hype cycles
the progression from 2k AVAX exploit on oct 5 to 266k on oct 7 shows the attacker tested the vulnerability and then went full scale. brutal
whats wild is the attacker only needed 1 AVAX as seed capital. reentrancy is literally the oldest smart contract vulnerability in the book. openzeppelin has a reentrancy guard for this. one line of code
one import statement. one modifier. 266k AVAX saved. smart contract security in 2023 and people still ship without ReentrancyGuard
1 AVAX in, 266k out. reentrancy in 2023 is inexcusable. openzeppelin literally hands you the guard on a silver platter
friend.tech fork on avalanche using unverified contracts. what part of this sounded sustainable. SocialFi season was pure casino